NYC Health + Hospitals Data Breach Exposes Social Security Numbers and Medical Records

Healthcare data breach illustration
Breach Discovery: Not Publicly DisclosedBreach Notification: 24th March 2026

What Happened in the NYC Health + Hospitals Data Breach?

NYC Health + Hospitals, the largest public health care system in the United States, has disclosed a major data breach affecting approximately 1.8 million people. The organization reported that a broad range of sensitive information was compromised. This includes both personally identifiable information and protected health information.

According to the disclosure, the breach involved several distinct categories of exposed data. As a result, affected individuals face varying types of risk depending on which categories applied to them. The organization has not publicly disclosed the specific method attackers used to gain access, nor has it stated exactly when the intrusion itself occurred.

NYC Health + Hospitals reported the breach to the U.S. Department of Health and Human Services on March 24, 2026. In addition, the organization posted a notice of the data breach on its official website. This notice outlines the incident and provides guidance for people who may have been affected.

Because the organization has not released additional forensic details, many questions remain about how the breach happened. However, the scope of the disclosure suggests a significant and wide-ranging exposure of sensitive health system data. Affected individuals should continue to watch for updates as the investigation proceeds.

Who was affected?

The NYC Health + Hospitals data breach affected approximately 1.8 million people. This makes it one of the largest healthcare data breaches reported in recent memory. Because NYC Health + Hospitals is a public health system, the affected population likely includes patients from across New York City.

The breach may affect anyone who received care, insurance processing or billing services through an NYC Health + Hospitals facility. This could include current patients, former patients and possibly their guardians if minors received care. The organization has not specified whether employees were also affected, so individuals should rely on official notifications for confirmation.

Given the size of the public health system, the geographic scope of affected individuals is likely broad. For example, patients who used any of the system’s hospitals, clinics or health programs could be included. Anyone unsure of their status should watch for a direct notification letter from the organization.

What Information Was Potentially Exposed?

The breach exposed an unusually wide variety of sensitive data types. This combination of medical, biometric and financial information creates multiple layers of risk for affected individuals. Below is a summary of the specific categories involved.

  • Health insurance plans and policies
  • Insurance company names and member or group ID numbers
  • Medicaid, Medicare and other government payor ID numbers
  • Medical record numbers
  • Disability codes, diagnoses, medications, test results, images and treatment plans
  • Fingerprints and palm prints
  • Billing, claims and payment information
  • Social Security numbers
  • Driver’s license numbers and other government-issued identification numbers
  • Taxpayer identification numbers and IRS-issued identity protection numbers
  • Precise geolocation data
  • Credit or debit card numbers
  • Financial account information or credentials
  • Online account credentials

This range of exposed information creates serious risk of medical identity theft. For example, someone could use another person’s health details to obtain care, prescriptions or insurance benefits without their knowledge. Because medical identity theft often goes unnoticed for months, victims may not realize the harm until they receive a suspicious bill or denial of coverage.

In addition, the exposure of Social Security numbers, financial account details and government ID numbers raises the risk of traditional identity theft and financial fraud. Criminals could open new credit accounts, file fraudulent tax returns or attempt to access existing financial accounts. The inclusion of biometric data adds a unique concern because fingerprints and palm prints cannot be changed or reissued once exposed, unlike a password or card number.

What is the company doing?

NYC Health + Hospitals has begun notifying individuals whose information may have been involved in the breach. This notification process follows the organization’s report to federal regulators on March 24, 2026. As a result, affected individuals should expect to receive official communications directly from the health system.

The organization has also posted a notice of the data breach on its website, which includes details about the incident. This notice explains what protective services or resources may be available, such as credit monitoring or identity theft protection. Individuals who believe they were affected should review this notice for enrollment instructions.

Because the breach affected such a large number of people, NYC Health + Hospitals is likely coordinating a broad outreach effort. However, specific technical remediation steps have not been publicly detailed. Affected individuals should rely on official notification letters for the most accurate and personalized information about their exposure.

What Should Affected Individuals Do?

Place a Fraud Alert or Credit Freeze

Given that Social Security numbers, driver’s license numbers and financial account information were exposed, affected individuals should contact all three credit bureaus. Equifax, Experian and TransUnion can each place a fraud alert or credit freeze on your file. This step helps prevent criminals from opening new accounts using your identity.

A credit freeze restricts access to your credit report, which makes it harder for identity thieves to open accounts in your name. Because this breach included sensitive identification numbers, taking this step quickly is especially important. You can contact Equifax, Experian and TransUnion directly to start the process.

Monitor Your Credit Reports and Financial Accounts

Affected individuals should request free copies of their credit reports at AnnualCreditReport.com. Reviewing these reports regularly helps you catch unfamiliar accounts or credit inquiries early. This is especially important since financial account information and card numbers were part of the exposed data.

In addition to credit reports, individuals should monitor their bank and card statements closely. For example, watch for small unauthorized charges, which criminals sometimes use to test stolen financial information before making larger purchases. Reporting suspicious activity promptly can limit potential financial damage.

Watch for Signs of Medical Identity Theft

Because health insurance and medical information were exposed, affected individuals should closely review their Explanation of Benefits statements. These statements show services and prescriptions billed under your insurance. If you notice care or medications you did not receive, this could indicate medical identity theft.

Medical identity theft can affect your health records as well as your finances. For instance, incorrect information added to your medical file could affect future treatment decisions. If you notice unfamiliar entries, contact your insurer and healthcare provider immediately to correct your records.

Update Passwords and Enable Two-Factor Authentication

Since online account credentials were included in the breach, affected individuals should change passwords on any accounts that may share the same login information. This is particularly important if you reused passwords across multiple sites. Creating strong, unique passwords reduces the risk of further unauthorized access.

Enabling two-factor authentication adds another layer of protection. As a result, even if a password is compromised, an attacker would still need a secondary code to access your account. This simple step can significantly reduce the risk of account takeover.

Stay Alert for Phishing Attempts

Scammers often use news of a data breach to send fake messages pretending to be from the affected organization. Because this breach involves NYC Health + Hospitals, watch for emails, texts or calls referencing the health system or the breach itself. Never click on suspicious links or provide personal information in response to unexpected messages.

If you suspect identity theft, you can file a report with the Federal Trade Commission at IdentityTheft.gov. This site provides a personalized recovery plan and step-by-step guidance. Consulting a data breach attorney may also help you understand your legal options and whether you qualify for compensation.



More Information

Official Notice from Nychealthandhospitals

Official Notice from Nychealthandhospitals

Related Data Breaches